git-svn: trunk@3127
Tomasz Kojm authored on 2007/07/11 05:59:30... | ... |
@@ -1,3 +1,8 @@ |
1 |
+Tue Jul 10 22:02:15 CEST 2007 (tk) |
|
2 |
+---------------------------------- |
|
3 |
+ * libclamav/unrar/unrarvm.c: fix possible crash with corrupted archives (bb#555) |
|
4 |
+ Reported by Metaeye SG, patch from Trog |
|
5 |
+ |
|
1 | 6 |
Sun Jul 8 17:25:04 CEST 2007 (acab) |
2 | 7 |
------------------------------------ |
3 | 8 |
* misc: Implement compiler indepenedent sign-extended signed right shift |
... | ... |
@@ -1650,7 +1650,7 @@ int cli_unrar_extract_next(rar_state_t* state,const char* dirname) |
1650 | 1650 |
cli_dbgmsg("Computed File CRC: 0x%x\n", state->unpack_data->unp_crc^0xffffffff); |
1651 | 1651 |
if (state->unpack_data->unp_crc != 0xffffffff) { |
1652 | 1652 |
if (state->file_header->file_crc != (state->unpack_data->unp_crc^0xffffffff)) { |
1653 |
- cli_warnmsg("RAR CRC error. Please report the bug at http://bugs.clamav.net/\n"); |
|
1653 |
+ cli_warnmsg("RAR CRC error. If the file is not corrupted, please report at http://bugs.clamav.net/\n"); |
|
1654 | 1654 |
} |
1655 | 1655 |
} |
1656 | 1656 |
if (!retval) { |
... | ... |
@@ -347,18 +347,18 @@ static void execute_standard_filter(rarvm_data_t *rarvm_data, rarvm_standard_fil |
347 | 347 |
unsigned int file_offset, cur_pos, predicted; |
348 | 348 |
int32_t offset, addr; |
349 | 349 |
const int file_size=0x1000000; |
350 |
- |
|
350 |
+ |
|
351 | 351 |
switch(filter_type) { |
352 | 352 |
case VMSF_E8: |
353 | 353 |
case VMSF_E8E9: |
354 | 354 |
data=rarvm_data->mem; |
355 | 355 |
data_size = rarvm_data->R[4]; |
356 | 356 |
file_offset = rarvm_data->R[6]; |
357 |
- |
|
358 |
- if (data_size >= VM_GLOBALMEMADDR) { |
|
357 |
+ |
|
358 |
+ if ((data_size >= VM_GLOBALMEMADDR) || (data_size < 4)) { |
|
359 | 359 |
break; |
360 | 360 |
} |
361 |
- |
|
361 |
+ |
|
362 | 362 |
cmp_byte2 = filter_type==VMSF_E8E9 ? 0xe9:0xe8; |
363 | 363 |
for (cur_pos = 0 ; cur_pos < data_size-4 ; ) { |
364 | 364 |
cur_byte = *(data++); |